Threaded View

Exploits/vulnerabilities

I haven't spent a lot time (yet) looking into this, but I wanted to ask the Zimbra community if anyone else have seen this type of activity with their Zimbra hosts.

I am running a fairly new install of 4.0.5 and some of my users are getting their accounts hacked/changed and are sending large amount of spam. I can find the accounts that have be compromised. The users signature is turned on saying:

"Attn: Winner

Your e-mail address attached to the Batch N0:P2/0056/2008 with Serial
number: 06/1055 drew,12-04-08 [5] [11] [13] [17] [14] [48] [25],
which subsequently won you a prize in the category B. You have
therefore been approved to claim a total sum of �1,500,000.00 (One
Million ,Five Hundred Thousand Great British Pounds) in cash credited
to file Ref N0: KPL/09-002/JA"

Then under the Primary Account Settings the users' info has been changed. The from says "Mrs Rita Jones" and the reply to field is change to "mrsriajones208@yahoo.co.uk".

The kicker is that I'm still in the middle of converting our users from our old mail system to Zimbra.

Has anybody else noticed this kind of activity? Any thoughts on how the info is getting changed inside of Zimbra?